Intuit Notice of Unauthorized Access to Tax Returns [pdf]

FWIW, the reports are saying these accounts were compromised due to credential stuffing attacks. While, Intuit can do something about credential stuffing by being proactive and hooking into haveibeenpwned etc. but they were not &quot;breached&quot; in an intrusion sense.<p>[edit]: Here is a source with more info - <a href="https:&#x2F;&#x2F;www.scmagazine.com&#x2F;home&#x2F;security-news&#x2F;intuit-the-company-behind-tax-preparation-software-turbotax-alerted-users-their-accounts-may-have-been-accessed-by-an-unauthorized-party&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.scmagazine.com&#x2F;home&#x2F;security-news&#x2F;intuit-the-com...</a>

Why was this recently uploaded to vermont.gov? Wouldn&#x27;t it be Intuit&#x27;s responsibility to inform its own users?<p>Confused whether this is just precautionary and given out to governments each tax season, or if something has occurred. The &quot;Insert Date&quot; makes it appear like the former.<p>Edit: According to another comment linking to &quot;scmagazine,&quot; this is not precautionary!

This is exactly why I always used to pay extra for the TurboTax desktop edition (I say &quot;used to&quot; because I ended up ditching TurboTax entirely a couple years ago, but that&#x27;s another story). It&#x27;s worth it to me to pay a little extra to reduce the number of entities that have this kind of data stored, and it appears that bet has paid off in this case.

This is one of the reasons I will never use a tax preparation product online. Nor will I file online through the IRS&#x27;s &quot;secure&quot; system. Even the downloadables are open to shenanigans behind the scenes, so it&#x27;s not the best option either.<p>At some point, it&#x27;s possible that one or more IRS databases themselves will be breached. This may (?) cause a re-evaluation of the risks the US government is subjecting its citizens to by collecting and storing such large volumes of financial data.

The document says that the accounts may have been accessed using id&#x2F;password combinations obtained from other sources. But doesn&#x27;t TurboTax have two-factor authentication? If so, how is this possible? If not, what would an extremely important service like TurboTax not have two factor authentication?

Even if one account is compromised, they have to send that notification. So I wouldn&#x27;t be so worried about it. Some credentials stuffing attack gained access to a few accounts protected by a password like 123456. TurboTax has 2FA support.

I have a ticket open with them for a couple of weeks now due to them not supporting MFA with my bank. My bank requires the token code after the password and TurboTax tries to replay the password and token code twice. I feel like a financial institution shouldn’t be tripped up by enterprise secretary that they assuredly have in house too.

Side note: TurboTax&#x27;s updater still requires TLS 1.0. <i>facepalm</i>